[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] AFS - The Ultimate Sulution?

To: "Paul Sebastian Ziegler" <psz@xxxxxxxxxxx>
Subject: Re: [Full-disclosure] AFS - The Ultimate Sulution?
From: "マグロ原子" <atoom.tonijn@xxxxxxxxx>
Date: Wed, 20 Sep 2006 13:32:48 +0200

On 9/17/06, Paul Sebastian Ziegler <psz@xxxxxxxxxxx> wrote:
> Yes, it would still be possible to root the system, but how would that
> help to get another user?
> Even if the system is rooted you would only have access to your own
> files and could not even crack other user's pws since they aren't in
> your password-file.

Since every machine would run the same image, if your system is
rooted, all others could be.

> As you said this requires that the AFS-Server is being kept up to date.
> But the Images wouldn't have to be.

Yes they would.

> Of course somebody could be hardlogging on a workstation, but it
> wouldn't be possible to sniff pws from the kerberos-session due to
> encryption.

Again if the system is rooted, it's possible to install a modified
"loader", which loads a modified OS image, which can sniff passwords
and do everything else.

Nyoro~n

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] AFS - The Ultimate Sulution?
  - From: Paul Sebastian Ziegler

Prev by Date: Re: [Full-disclosure] SimpleBoard Mambo Component 1.1.0 Remote File Include
Next by Date: [Full-disclosure] Cross Site Scripting Vulnerabilities in multiple Greek Web Banking sites
Previous by thread: Re: [Full-disclosure] AFS - The Ultimate Sulution?
Next by thread: Re: [Full-disclosure] AFS - The Ultimate Sulution?
Index(es):
- Date
- Thread